Shotgun provides advanced permissions to control who can see and do what throughout the system. Permissions are controlled by 'permission roles'; one person is assigned to one role.

Default roles that ship with Shotgun are:

Admin

Admins have complete control over all operations in Shotgun (the only exceptions here include modifying things that are required by the system, such as deleting the Template Project).

Artist

Artists can only see Projects that they are specifically assigned to. Artists can update or edit:

Notes if they are the author of that Note,

Status fields on Tasks they are assigned to, though they can’t edit other Task fields,

Versions, Time Logs, and Tickets if they are the creator of those entities.

Manager

Managers share most functionality with Admins but have certain entities restricted by default. There are no conditional permissions present on the manager default group.

Vendor

Vendors can only see Projects that they are specifically assigned to. Additionally, Vendors can only see:

Tasks that they (or a group that they are in) are assigned,

Shots and Assets if they (or a group that they are in) are assigned to a Task on that Shot or Asset,

Notes if they (or a group that they are in) are in the To or CC field, or if they created the Note, and

Versions that they create.

Admins can create new permission roles.

Click the “+ New Permission Role” button in the upper right of the permissions page.

You’ll need to give the new permission role a name, and choose a Template. Default permissions will be set for the new permission role based on the template you choose. This saves a lot of time in setting up brand new permission roles.

Finding out what the default permissions are

You can easily find out exactly what your stored default permissions are by following these instructions.

Go to the Admin Permissions page

Click to expand a particular role (e.g., Artist)

Click to expand 'Reset to Defaults'. Doing this will not reset anything without also clicking 'Save changes'Click to enlarge image above

Note: We occasionally change how these defaults work, and package them up in migrations. When changes occur, we never modify the permissions in use on your server, but we do change the stored defaults. This is documented in our release notes.

What you can control with permissions

Entity permissions (who can see or create a Note)

Field permissions (who can see or edit the "Status" field on the Note Entity)

App permissions (who can see or edit Apps)

Advanced permissions (misc. control over things like who can save pages where, etc.)

Reset to defaults

From the permissions page, you’ll be able to reset any permission role back to its default permissions (the exact same default permissions that come bundled with a newly installed version of Shotgun). Here are the default roles:

Default Admin

Default Artist

Default Manager

Note: There is no default Vendor role.

Resetting a role to one of the stored defaults

Go to the permissions page

Click to expand the role you’d like to reset

Click to expand 'Reset to Default'

Choose one of the other roles from the dropdown

Click 'Reset'

Please Note: You currently cannot reset a group to the default vendor permissions in the UI. If you need to reset to the vendor defaults (see feature request here), please write in to support@shotgunsoftware.com but it is recommended to make a copy of your vendor group should you want to edit it.

You can see and edit permissions on individual fields or entities themselves, or in the Permissions area of the Admin menu (for those with permission!).

Checking a person's permissions

To see or modify which permission group a person is in, go to the People page. Each person’s account record has a permissions group field where you can change their permission group, and therefore what changes they’re able to make in Shotgun.

Double-click into the field to choose the right permission role for each Person. You can also select multiple People, and right-click anywhere in the permission group field on a record. Choose "Edit Selected", and then choose the permission role to apply to everyone in one go.

Example: Editing permissions on a field

This is the most common case for ongoing permission tweaking, so we'll start here. Every field in Shotgun has two types of permissions on it: who can see the field and who can edit the field.

Who can do this?Anyone who can edit fields has access to the configure field dialog. Just right-click on the column header of the field (in list mode), select the "Configure field..." option, then click the Permissions tab in the dialog that appears, make your changes, and click 'Update field'. This is good to quickly view or adjust permissions on individual fields, and can be done on any grid page.

Note: If any checkbox in the permission tab is greyed out, this means that the field is either uneditable, or there's a conditional (advanced) permission rule on the field, and can't be edited through the UI.

Example: Editing permissions on an entity

In the entities section of site preferences, you'll notice a 'Permissions' section. Clicking this loads in all the permissions—by permission role, for that particular entity type—handy when you want to see and edit permissions when dealing directly with an entity. Every entity in Shotgun has four types of permissions: who can see it, who can create it, who can retire it, and who can edit it.

Entity Permissions from Site Prefs. Every entity listed in site prefs has an expandable Permissions section that allows you to see and edit permissions for that entity.

Changing entity permissions

From the Site Preferences page, locate and expand the entity you'd like to modify permissions for (e.g., Asset)

Click to expand the 'Permissions' widget inside the entity section

Check or uncheck any of the checkboxes for the four categories of entity permissions (see, create, retire, and edit)

Scroll up to the top of the preferences page and click 'Save Changes'

How entity permissions work

Who can see <entities>Controls whether or not a role can ever view entities of that type in the UI. For example, if Artists can't see the 'Delivery' entity, they'll never be able to view pages that list Deliveries.

Who can create <entities>Controls whether or not a role can ever create an entity of a particular type.

Who can retire <entities>Controls whether or not a role can ever retire an entity of a particular type.

Who can edit <entities>Controls whether or not a role can ever edit an entity of a particular type. For example, if you set this to yes on Artist for the Asset entity type, Artists will be able to edit any Asset field, unless this is overridden in the field permissions. Setting it to no means that a role won't be able to edit any fields on that entity.

Example: Editing permissions on a personal page

While in Design Mode on a global page (a page not assigned to a Project), you can choose to either share that page with “No One” (so it’s private), or “Everyone”, then pick the permission groups who can see it.

While in Design Mode on a page that is assigned to a Project, you can also pick the permission groups who can see it.

Page permissions only control the visibility of the page in the quickjump and Pages menu. Page permissions do not control visibility of the data on a page.

Permission overview and advanced permissions

If you'd like to access a single place to view or change permissions of any sort, go to the Admin Permissions page. From here, you can edit entity permissions, field permissions, app permissions, reset roles to default settings, and assign miscellaneous administrative access rights (like who can set permissions or save pages).

About the Permissons pageEach enabled permission role (e.g., Admin, Artist, Manager, and Vendor) shows up on the Permissions page with the following expandable options:

Summary

Entity Permissions

Field Permissions

App Permissions

Advanced

Reset to Defaults

Summary

The summary shows you a line-by-line breakdown of permissions for a particular role (warning: this breakdown can be a little techy since it follows exactly what is printed out in the ruby console).

Entity Permissions

This shows all enabled entities, broken down by permission role. For each entity, it shows the see, create, delete, and edit permissions for that role.

Note: Greyed out checkboxes indicate that there's a conditional (advanced) permission rule for that operation (e.g., Artists can only edit Timelogs they are linked to and edit fields on Notes they have created).

Example: Allowing Artists to create Tasks

Go to the Permissions page

Click to expand the 'Artist' role

Click to expand 'Entity Permissions'

Locate the 'Task' entity type, then check the 'Create' checkbox

Scroll all the way up and click 'Save Changes'

All people in the Artist role from this point on will be able to create Tasks

Field Permissions

Field Permissions are broken down by permission role, then by entity type. It shows the See and Edit permissions by field for a given permission role. By default, permissions on entity fields are inherited from the entity-level permissions. For example, if you configure the Artist role to be able to Edit the Task entity, they'll also be able to edit any Task field (with certain exceptions ), unless explicitly prohibited.

The following types of fields can never be configured to be editable:

Read-only fields (e.g., all Id fields, all audit fields like Created by and Date Created, and calculated fields like Open Notes Count and Smart Cut fields on Shot)

Fields with conditional permissions (e.g., Task Status for Artists)

Note: Greyed out checkboxes indicate that the operation (for example, Edit Asset > Created by) is protected because the field is read-only (in the case of audit fields), or that the operation is protected by a conditional (advanced) permission rule. To find out why a particular field isn't editable, just hover over it to get a tooltip.

Example: Allowing Artists to edit the Asset Description field

Go to the Permissions page

Click to expand the Artist role

Click to expand 'Field Permissions'

Click to expand the 'Asset' entity type

Locate the 'Description' field, then check the 'Edit' checkbox

Scroll all the way up and click 'Save Changes'

All people in the Artist role from this point on will be able to edit the Description field on an Asset

Advanced

Use these preferences to control access to very specific administrative features, described below.

When ‘Hide Global Nav’ is checked, people will not be able to see or use the navigation bar controls at the top of the page. They will only be able to see their Shotgun Home page, pages they can link to from the Home page, or pages they know the URL for.

allow the creation of toolkit eventlogentries

If using Toolkit, then there are certain actions that create EventLogEntries via the API. Allowing the creation of these EventLogEntries prevents Toolkit from breaking while keeping the default of not being able to create entities. For more information, visit the Toolkit forums.

Edit Global Formatting

Only people with this permission will be allowed to create Global Formatting rules, which affect formatting on every page in Shotgun.

Edit default and project work schedules

When ‘Edit default and project work schedules’ is checked, people will be able to view and edit project and default schedules.

Hide ‘Other’ menu in Project Nav

In the Project nav bar, don’t show people the ‘Other’ menu.

Hide Saved Filters in Filter Panel

People with this permission enabled will not be able to see or turn off any active Saved Filters in the Filter Panel.

Manage Project Navigation Bar

Allow users with this permission to configure which pages appear in the navigation bar that appears at the top of the project.

Create and Save Project Pages

Only people will this permission will be able to add new pages to a Project or save existing ones.

Can Design and Save Home Page

Only people with this permission will be able to make changes and save the legacy Home Page (at one point, everybody had the same customizable Home Page, but now that anyone can choose their own Home Page, this permissions only applies to the original customizable Home Page).

Save Filters and Sorting in My Tasks

This permission allows someone to save how Tasks are sorted and filtered by default for all people.

Save Navigation Pages and Detail Pages

Allow users with this permission to save changes to the main project navigation pages and entity detail pages.

People will only see Projects they are assigned, including all data linked to those Projects. To assign a person to a Project, edit the ‘Projects’ field on People, or the ‘People’ field on Projects.

Can see Client Notes

Only people with this permission can see Notes created by Clients (ClientUsers).

See Non-Project Notes

If a Person is restricted to only see Projects they are assigned, this option creates an exception that allows them to see all Notes that are not linked to a Project.

See Non-Project Tasks

If a Person is restricted to only see Projects they are assigned, this option creates an exception that allows them to see all Notes that are not linked to a Project.

Set Permissions

This checkbox preference requires that the ‘Use Admin Options’ preference is also checked.

Can Share Playlists via Client Review Site

Only people with this permission can share a Playlist using the Client Review Site.

allow “sudo”: perform actions and log events as though logged in as another user *

When enabled on a Human User permission group, allows for the “Assume Identity” functionality from a People page. When enabled for an API Permission group, allows for use of the sudo_as_login variable when establishing a Shotgun connection.

Can use the Overlay Player

Provides quick access to view uploaded media, allows for feedback with notes and annotation tools, and shows other related media.

a) Is there a help website I can find which shows me the documentation for user account permission summaries ( read-only ) through either the Shotgun, or the Shotgun Toolkit API's ? Wish to query and construct a spreadsheet overview of different roles for comparison.

b) If I have a pre-existing permission scheme set up on one hosted website, is it plausible to mirror that scheme over to another hosted website without re-entering it manually on the target site?